Summary

• Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system of a targeted user.

  The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server. The player can also be manually installed for offline playback after downloading the application from www.webex.com .

  If the WebEx recording player was automatically installed, it will be automatically upgraded to the latest, non-vulnerable version when users access a recording file that is hosted on a WebEx server. If the WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com .

  Cisco has released software updates that address these vulnerabilities.

  This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110201-webex.

Affected Products

• Vulnerable Products

  The vulnerabilities disclosed in this advisory affect the Cisco WebEx recording players. Microsoft Windows, Apple Mac OS X, and Linux versions of the player are all affected. Affected versions of the players are those prior to client builds T27LC SP22 and T27LB SP21 EP3.

  To determine whether a Cisco WebEx server is running an affected version of the WebEx client build, users can log in to their Cisco WebEx server and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details.

  Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/downloadplayer.html .

  Products Confirmed Not Vulnerable

  No other Cisco products are currently known to be affected by these vulnerabilities.

Details

• The WebEx meeting service is a hosted multimedia conferencing solution that is managed and maintained by Cisco WebEx. The WRF and ARF file formats are used to store WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee. The players are applications that are used to play back and edit recording files (files with .wrf and .arf extensions). The recording players can be automatically installed when the user accesses a recording file that is hosted on a WebEx server (for stream playback mode). The recording players can also be manually installed after downloading the application from www.webex.com/downloadplayer.html to play back recording files locally (for offline playback mode).

  Multiple buffer overflow vulnerabilities exist in the WRF and ARF players. The vulnerabilities may lead to a crash of the player application or, in some cases, remote code execution could occur.

  To exploit one of these vulnerabilities, the player application would need to open a malicious WRF or ARF file. An attacker may be able to accomplish this exploit by providing the malicious recording file directly to users (for example, by using e-mail) or by directing a user to a malicious web page. The vulnerability cannot be triggered by users who are attending a WebEx meeting.

  These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers:

  • CVE-2010-3269
    
  • CVE-2010-3041
    
  • CVE-2010-3042
    
  • CVE-2010-3043
    
  • CVE-2010-3044
    

Workarounds

• There are no workarounds for the vulnerabilities disclosed in this advisory.

Fixed Software

• When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution.

  These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21 EP3. For customers who are running T27LC SP22, the client build will be represented as 27.22SP.0.9253. The fix for customers who are running T27LB SP21 will be deployed by WebEx over the next few weeks. The client build will be determined after the software is deployed.

  The client build is listed in the Support > Downloads section of the WebEx page after a user authenticates. WebEx bug fixes are cumulative in a major release. For example, if release 27.22SP.0 is fixed, release 27.22SP.1 will also have the software fix.

  If a recording player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx server.

  If a WebEx recording player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com/downloadplayer.html .

Exploitation and Public Announcements

• The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

  These vulnerabilities were either found during internal testing or reported to Cisco by a variety of sources, including Core Security, TippingPoint, and Fortinet's FortiGuard Labs.

  Cisco would like to thank these organizations for reporting these vulnerabilities.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110201-webex

Revision History

• Revision 1.0

  2011-Feb-01

  Initial public release.

  Show Less